This quickstart builds upon Integrating with a SAML Identity Provider (IdP) in your ASP.NET Core application. We will discuss the scenario where you have an IdentityServer federating with an external SAML IdP. Hence, IdentityServer is acting as a SAML Service Provider (SP) to an external IdP.
We recommend following the IdentityServer recommendation for integrating with an external IdP. This page will only cover only the SAML-specific advice. Please refer to the IdentityServer documentation for a thorough explanation of the entire login process.
Temporary Sign-in Scheme
A temporary cookie is used to remember the identity parsed from the external IdP. A callback method is then used to perform custom business logic to map claims and link the external user to a local user.
Our SAML component doesn't map to OIDC claims, so it will never include the "sub" claim that IdentityServer needs. So using this recommended approach, you can ensure that your main authentication cookie has all the required claims that IdentityServer needs. Otherwise, IdentityServer will throw a "sub claim is missing" error.
services.AddAuthentication()
.AddSaml2p("saml2p", options => {
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
// Other configuration code removed for brevity
});
Sign-out Scheme
When implementing Single Logout, you must set the SignOutScheme
configuration option to the main authentication cookie that you sign the user into.
The SAML logout request needs to contain the NameID of the user that is requesting logout.
We get the current user from the cookie you specify as the SignoutScheme
.
Therefore, SAML logout will fail if the SignoutScheme
is not set to the main authentication cookie.
services.AddAuthentication()
.AddSaml2p("saml2p", options => {
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
options.NameIdClaimType = "sub";
// Other configuration code removed for brevity
});
Code Sample
We have an IdentityServer sample configured to act as a SAML SP to an external SAML IdP. The logic for triggering and handling the external sign-on is handled within the ExternalController.cs.